【重要消息】ASP.NET安全弱點更新程式出爐了!
4 |
關於上週發佈的ASP.NET安全弱點,MS已釋出安全更新了!! (向爆肝的程式開發人員致意~)
各.NET版本的安全更新目前已可由Microsoft Download Center下載:
.NET 1.1
- Security Update for Microsoft .NET Framework 1.1 Service Pack 1 and Windows Server 2003 Service Pack 2 (32-bit)
- Security Update for Microsoft .NET Framework 1.1 Service Pack 1 on Windows XP, Windows Server 2003 (64-bit), Windows Vista, and Windows Server 2008
.NET 3.5(含2.0, 3.0)
- Security Update for Microsoft .NET Framework 3.5 on Windows Server 2003 and Windows XP
- Security Update for Microsoft .NET Framework 3.5, Windows Vista Service Pack 1 and Windows Server 2008
- Security Update for Microsoft .NET Framework 3.5 on Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008
.NET 3.5 SP1
- Security Update for Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 2.0 Service Pack 2 on Windows Server 2003 and Windows XP
- Security Update for Microsoft .NET Framework 3.5 Service Pack 1 on Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008
- Security Update for Microsoft .NET Framework 3.5 Service Pack 1 on Windows Vista Service Pack 1 and Windows Server 2008
- Security Update for Microsoft .NET Framework 3.5 Service Pack 1, Windows Vista Service Pack 2, and Windows Server 2008 Service Pack 2
.NET 3.5.1
- Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2
- Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 SP1 Beta and Windows Server 2008 R2 SP1 Beta
.NET 4.0
除了手動下載安裝,再過幾天這些更新會透過Windows Update自動更新機制發行,請管理網站伺服器的朋友格外留意,所有執行ASP.NET網站的伺服器都要更新到,以維護安全!
Comments
# by Aramis
向爆肝的程式開發人員致意+1 這次的補洞速度有沒有破紀錄呢?印象中沒這麼快過(逃~)
# by jain
這次應是連MS自已都爆很大吧~~~ XD
# by flash
我不懂, 這次更新是有新增更強的加密演算法嗎? 更新之後就不用開啟custom error 機制了嗎? 微軟是怎麼解決這加密弱點問題?
# by Jeffrey
to flash, 我想本次修補不在於更換加密演算法,而是避免在錯誤訊息裡透露會利用作為破解線索的資訊(即所謂Padding Oracle)。 更新後就不用強制將所有Error指向相同的自訂錯誤網頁(之前連500跟404都不能區分開來,十分不便),但是若以資安實務來說,已上線主機還是應避免設成<customError mode="Off" />,預設的錯誤資訊頁常會夾帶不該讓使用者知悉的資訊(甚至包含程式碼片段),並非好事。